Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following component file(s):
- "%User Temp%\{random folder name}\{random folder name}\wow.dll" - detected as BKDR64_AGENT.GTY
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops the following non-malicious file:
- "%User Temp%\{random folder name}\{random folder name}\wow.ini"
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It injects itself into the following processes running in the affected system's memory:
It creates the following folders:
- %User Temp%\{random folder name}\{random folder name}
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Autostart Technique
This backdoor modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\
InProcServer32
[Default] = "%User Temp%\{random folder name}\{random folder name}\wow.dll"
(Note: The default value data of the said registry entry is "%System%\SHELL32.dll.)
Other System Modifications
This backdoor adds the following registry entries:
HKEY_CURRENT_USER\Software\Classes\
clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\inprocserver32
[Default] = "%User Temp%\{random folder name}\{random folder name}\wow.dll"
It adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
iehardenienowarn = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Setting
warnonbadcertrecving = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
warnonpostredirect = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
url history
daystokeep = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
smartdithering = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
autosearch = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\LowRegistry\DontShowMeThisDialogAgain
displaytrustalertdlg = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
noprotectedmodebanner = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
ie9runonceperinstallcompleted = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
ie9tourshown = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
smoothscroll = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
show image placeholders = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
usethemes = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
force offscreen composition = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
ieharden = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\internet explorer\main
DisableFirstRunCustomize = "1"
Backdoor Routine
This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:
- {BLOCKED}f.com
- {BLOCKED}f.com
Web Browser Home Page and Search Page Modification
This backdoor lowers the security setting of Internet Explorer.
NOTES:
This backdoor is capable of encrypting the drop files using Windows Encrypting File System (EFS) feature.
The malware may also change the Security Properties of the drop files and created registries, to disable access to the files and registry.
Upon connection to the remote server, the backdoor may send the following to the remote location:
- http://{BLOCKED}f.com/script.php?sid=8&q={keyword}&ref={ref}&={ua}&lang={lang}
where {keyword} could be either of the following:
average+cost+of+health+insurance+for+a+small+indiana+compnany
types+of+business+insurance+policies
free+grant+money+colleges
groupon+for+oil+change+in+new+jersey
aarp+term+life+insurance+rates
adt+home+security+systems+haines+city
do+small+tasks+online+make+money
adipex+p+prescriptionplus
how+to+apply+for+health+insurance+for+fiancee+visa+immigrant
merchant+credit+card+processing+lowest
what+is+the+snowball+effect+in+debt+reduction?
average+rate+quote+car+insurance+new+york
cost+qualified+high+deductable+health+insurance+plan
criminal+justice+degree+and+virginia
health+insurance+for+travellers+into+usa
london+ontario+memorial+boys+and+girls+club+offer+15%discount+to+car+insurance
order+a+credit+report
business+insurance+vehicle
criminal+justice+records
non+profit+consumer+credit+counseling+service
computer+science+bachelors+degree+online
fitness+weight+loss+houston
seap+debt+counseling+credit+card+processing
adipex+p+forums
broward+college+online+rn+program
auto+insurance+ontario+quote
global+debt+management
groupon+scandigital+03/14
hud+required+credit+reports+for+business+purposes
canadian+debt+settlement
credit+card+debt+settlement+online
at+home+business+nebraska
auto+car+cheap+insuran+insurance+allstate+insurance+georgia
oxford+health+insurance+family+coverage
renter+business+insurance
affordable+health+insurance+for+individual
home+alarm+systems+for+alzheimers+or+dementia
laptops+bad+credit+financing
understanding+construction+general+liability+insurance
payday+faxless+fast+cash+loan
free+credit+card+logos+for+business
good+debt+settlement+companies
online+auto+title+loans
buy+instantly+car+insurance+new+jersey
payment+processing+emerge+credit+card
attorneys+that+have+successfully+sure+auto+owners+insurance+company
free+health+insurance+pennsylvania+quote
is+groupon+a+fraud?
what+is+john+desmores+college+degree?
kennel+cough+doxycycline
klonopin+for+chronic+pain
debt+recovery+crbu
naugatuck+valley+community+college+online+courses
auto+insurance+quote+in+hudson+florida
health+insurance+defazio+coverage+refusal
competitive+quote+car+insurance
google+register+domain+names
domestic+partner+coverage+for+health+insurance+in+monroe+county+ny
debt+relief+laws
does+cancelling+a+credit+card+hurt+your+credit+rating
metlife+auto+insurance+quote
debt+settlement+customers+pa+19422
adipex+d
creditcard+debt+reduction
hope+college+online+vet+assistant
inexpensive+accelerated+college+degree+programs
supervised+visitation+commercial+general+liability+insurance
quick+car+insurance+quote
hhgreggs+business+credit+cards
afba+life+insurance+complaint
general+american+life+insurance+class+action
uk+small+debt+recovery
accounting+for+life+insurance+policies
percent+of+sucessful+debt+reduction+programs
personal+loans+no+credit
paying+federal+income+tax+by+credit+card
self+help+credit+repair
irs+debt+relief+program
security+of+finanacial+transactions+with+credit+cards
colorado+non-profit+credit+card+donation+processing
emergency+medical+alarm+button
look+for+best+free+health+insurance+quotes
mobile+home+loans+for+poor+credit
credit+report+gov
can+you+be+denied+life+insurance+because+of+a+benig+brain+tumor
adipex+ingredient
cash+advance+loan+lenders
legitimate+debt+relief+company+pa+19422
easiest+college+degree
debt+reduction+negotiation
health+insurance+companies+for+the+state+of+new+york
credit+repair+firm+goldsboro+nc
online+psychology+degree+program
clinton+debt+reduction+social+security
credit+card+processing+compliance
low+income+housing+debt+reduction
signmaking+business+insurance
cheap+car+insurance+rates
job+related+health+insurance+coverage
best+health+insurance+for+people+50+or+older
cheap+pa+auto+insurance
senior+consumer+credit+counseling
the+best+international+flower+delivery+service
car+insurance+rates+comparison+ontario
debt+recovery+online+uk
jobs+that+dont+require+a+college+degree
historian+college+degree
groupon+las+vegas+to+hollywood
car+insurance+quotes+01376
credit+card+processing+fort+worth
how+much+does+car+insurance+cost+forcertain+cars
pensacola+debt+recovery
bike+insurance+quote+ontario
health+insurance+for+people+under+65
whos+the+new+band+on+free+credit+report+commercials
auto+insurance+companies
allstate+car+insurance+quote
auto+insurance+compare+quotes
grady+credit+card+processing
aplly+for+more+than+one+health+insurance
auto+insurance+quotes+toronto
compare+life+insurance+quotes
funeral+flowers+for+soldiers
community+college+minnesota+psychology+degree
online+degree+programs+for+certified+teachers
how+to+get+a+copy+of+your+childs+credit+report
car+for+cheap+insurance+for+17+year+old
easy+fast+lot+make+money
credit+card+debt+repair+agenties+in+knoxville+tn+are+they+honest
credit+repair+services+goldsboro+nc
online+college+degree+programs
california+business+insurance
health+insurance+coverage+alcohol+related+injury
best+individual+health+care+insurance+online+quotes
celebrex+and+antihistamine
car+insurance+vauxhall+quotes
buying+auto+insurance+online
federal+credit+card+debt+relief
nc+debt+settlement
what+credit+cards+pull+credit+reports+from+equifax+and+experian
car+insurance+imported+cars+uk
send+flowers+to+ashwood+vic
cheapest+domain+registration
groupon+coupons+phoenix
debt+relief+san+fernando+valley
groupon+village+of+baytowne+wharf
compare+work+at+home+jobs
aromatherapy+home+based+business
credit+repair+canada
health+insurance+for+high+risk+people
email+marketing+service
credit+cards+avaliable+for+good+credit+ratings
health+insurance+coverage+for+senior+expats
doctorate+of+engineering+online+degree
a+n+t+credit+cards+business
payroll+tax+debt+relief
kansas+city+groupon
online+degree+programs+univ+missouri+columbia
payday+cash+loans
credit+card+debt+relief+in+canada
adipex+buy+p
auto+insurance+companies+united+states+2013
pyxism+home+based+business+home+based+online+business+business+oppotunity+and+call+me
top+five+insurance+auto+companies+in+nm
glen+beck+college+degrees
broker+of+health+and+life+insurance
example+letters+to+dispute+credit+report
zambio+credit+card+processing+for+adult+paid+sites
hire+car+insurance
auto+insurance+quote+anonymous
complaints+about+freedom+debt+relief
classic+car+insurance
domain+registration+and+hostingaccredited+bachelor+degrees+online
comprehensive+car+insurance+quotes+in+australia
national+debt+relief+act
instant+online+auto+insurance
levaquin+class+action+suit
credit+card+van+business
2013+health+insurance+for+adult+children
adipex+metairie+la
credit+card+consolidation+loans
auto+home+insurance+quotes
dental+care+credit+card
groupon+travel
health+and+dental+insurance
online+college+courses+bay+area
statistics+of+college+degree
cheapest+toronto+car+insurance
advertising+a+home+based+business
auto+insurance+quotes+dui
online+auto+insurance+estimates
1st+insurance+health+insurance+quotes+in+london
home+and+auto+insurance+quotes
groupon+london+ontario
adt+home+security+system+reviews
perception+of+online+college+degrees
checks+unlimited+address+stamp+discount
provider+information+for+delaware+health+insurance
christian+college+degree+in+public+health+on-line
analysis+of+value+of+college+degree+vs+cost
credit+card+debt+settlement+facts
approved+funding+for+debt+management+agencies+from+irs
blue+cross+blue+shield+health+insurance+in+illinois
zehrs+health+insurance+coverage
how+long+to+charge+offs+stay+on+credit+report
credit+report+association+for+comcast+cable
debt+reduction+ohio
canada+debt+reduction
credit+card+debt+reduction+government+run
jazzercise+at+groupon
2013+top+ranked+health+insurance+plans+california
aarp+health+insurance+for+seniors+with+pre-existing+conditions
national+groupon
pyxism+home+based+business+home+based+online+business+business+oppotunity+and+call
colorado+car+insurance
auto+insurance+companies+california
credit+card+debt+consolidation+florida+cds
credit+card+machines+uk
debt+consolidation+loan+payments
bears+college+degrees
car+insurance+company+just+woman
i+need+adipex
accutane+crohns+irritable+bowel
where+to+buy+fioricet+online
texas+largest+personal+auto+insurance+companies
debt+management+and+credit+counseling
top+careers+without+a+college+degree
online+college+classes+upper+michigan
business+credit+card+account
ajax+credit+card+processing
family+florida+health+insurance+plan
family+health+insurance+ohio
research+statistics+on+the+advantages+of+having+a+college+degree
complaints+on+auto+owners+insurance+company
criminal+justice+degree+at+bay+state+college+in+middleboro+massachusetts
groupon+inc.+chicagoil
fast+debt+relief
group+health+insurance+for+farmers
online+degree+programs+prophesy
merchant+services+credit+card+processing
effects+of+metformin+xr+on+blood+glucose+levels
st.+pauls+college+online
blue+cross+california+affordable+health+insurance+term+life
arizona+car+insurance
singapore+cheap+domain+name+registration
10000+instant+personal+loan
chocolate+gift+baskets+richmond+bc
repair+credit
credit+report+and+charge+off
skaggs+consumer+credit+counseling+service+of+central
car+insurance+rate+low+cost+life+insurance+home+ow
think+debt+relief
credit+repair+consultant
buy+dinars+with+credit+cards
washington+state+universities+with+criminal+justice+degrees
insurance+net+low+auto+insurance+quote+from+top+ca
newloanrequest+fast+cash+personal+loans
debt+settlement+pennsylvania
100+online+master+of+art+psychology+degree+programs
financing+business+using+credit+cards
groupon+roanoke+va
need+business+credit+cards
undergraduate+degree+in+environmental+engineering
college+degrees+for+the+real+world
auto+insurance+rate+in+salt+lake+city+metropolitan+life+insu
send+flowers+cheap+ct
quickbooks+credit+card+processing
what+is+a+state+farm+utility+rating+credit
business+insurance+phoenix
united+service+auto+insurance+company
dakota+free+group+health+insurance+quote+south
problems+receiving+payment+from+groupon
business+insurance+osha
mr+auto+insurance+company+in+jackosnville+fl
auto+insurance+quotes
debt+management+help
whats+the+difference+between+a+debt+consolidation+and+personal+loan
usbank+business+credit+cards
business+credit+cards+vermont
car+insurance+northern+ireland+abbey
toyota+used+car+warranty
cuyahoga+county+ohio+debt+consolidation+loans
what+health+insurance+company+will+cover+me+with+the+diagnosis+sleep+apnea?
california+cheap+health+insurance+quote
online+criminal+justice+degrees
credit+report+and+free
vicodin+detox
debt+settlement+company+regulations
debt+settlement+companies+that+purchase+consumer+debt
number+one+auto+insurance+company
car+insurance+rates+in+the+us
send+flowers+to+brazil
auxiliary+power+home+security+system
cheap+car+insurance
online+business+degree
auto+muscle+cars+insurance+companies
at+home+businesses+for+travel
chase+business+credit+cards
what+is+a+college+degree
{ref} could any of the following:
- http://www.iseek.com/iseek/search.html?query={keyword}
- http://blekko.com/ws/?q={keyword}
- http://duckduckgo.com/?q={keyword}
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Identify and delete files detected as BKDR64_AGENT.GTY using either the Startup Disk or Recovery Console
[ Learn More ]
[ back ]
To identify and delete the malware/grayware file:
• On Windows XP and Server 2003 systems:
- Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
- Click Start>Run. In the Open input box, type secpol.msc and press Enter.
- In the left panel, double-click Local Policies>Security Options.
- In the right panel, double-click Recovery Console: Allow floppy copy and access to all drives and folders.
- Select Enabled and click OK.
- Insert the Windows Installation CD into the CD drive, then restart your computer.
- When prompted, press any key to boot from the CD.
- On the main menu, type r to go to the Recovery Console.
- Type the number that corresponds to the drive and directory that contains Windows (usually C:\WINDOWS) and press Enter.
- Type the Administrator password and press Enter.
- In the input box, type the following then press Enter:
SET AllowAllPaths = TRUE
del "{malware/grayware path and file name}" - Type exit and press Enter to restart the system normally.
• On Windows Vista and 7 systems:
- Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
- Insert your Windows Installation DVD in the DVD drive, then Press the restart button.
- When prompted, press any key to boot from the CD.
- Depending on your Windows Installation DVD, you might be required to select the installation language. Then on the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Next, then click Repair your computer.
- Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
- If the Startup Repair window appears, click Cancel, Yes, then Finish.
- In the System Recovery Options window, click Command Prompt.
- In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
del "{malware/grayware path and file name}" - Type exit and press Enter to close the Command Prompt window.
- Click Restart to restart the system normally.
Step 3
Delete this registry value
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\inprocserver32
- [Default] = "%User Temp%\{random folder name}\{random folder name}\wow.dll"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- warnonbadcertrecving = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\url history
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain
- displaytrustalertdlg = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- noprotectedmodebanner = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- ie9runonceperinstallcompleted = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- show image placeholders = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- force offscreen composition = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main
- DisableFirstRunCustomize = "1"
To delete the registry value this malware created:
- Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.
- In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Classes>clsid>{fbeb8a05-beee-4442-804e-409d6c4515e9}>inprocserver32 - In the right panel, locate and delete the entry:
[Default] = "%User Temp%\{random folder name}\{random folder name}\wow.dll" - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings - In the right panel, locate and delete the entry:
iehardenienowarn = "0" - Again In the right panel, locate and delete the entry:
warnonbadcertrecving = "0" - Again In the right panel, locate and delete the entry:
warnonpostredirect = "0" - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings>url history - In the right panel, locate and delete the entry:
daystokeep = "0" - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer - In the right panel, locate and delete the entry:
smartdithering = "0" - Again In the right panel, locate and delete the entry:
autosearch = "0" - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>LowRegistry>DontShowMeThisDialogAgain - In the right panel, locate and delete the entry:
displaytrustalertdlg = "0" - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main - In the right panel, locate and delete the entry:
noprotectedmodebanner = "1" - Again In the right panel, locate and delete the entry:
ie9runonceperinstallcompleted = "1" - Again In the right panel, locate and delete the entry:
ie9tourshown = "1" - Again In the right panel, locate and delete the entry:
smoothscroll = "0" - Again In the right panel, locate and delete the entry:
show image placeholders = "0" - Again In the right panel, locate and delete the entry:
usethemes = "0" - Again In the right panel, locate and delete the entry:
force offscreen composition = "0" - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings>ZoneMap - In the right panel, locate and delete the entry:
ieharden = "0" - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>internet explorer>main - In the right panel, locate and delete the entry:
DisableFirstRunCustomize = "1" - Close Registry Editor.
Step 4
Restore this modified registry value
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32
- From: [Default] = "%User Temp%\{random folder name }\{random folder name}\wow.dll"
To: [Default] = "%System%\SHELL32.dll"
To restore the registry value this malware/grayware modified:
- Open Registry Editor. Click Start>Run, type REGEDIT in the text box provided, and then press Enter.
- In the left panel, double-click the following:
HKEY_CLASSES_ROOT>CLSID>{fbeb8a05-beee-4442-804e-409d6c4515e9}>InProcServer32 - In the right panel, locate the registry value:
[Default] = "%User Temp%\{random folder name }\{random folder name}\wow.dll" - Right-click on the value name and choose Modify. Change the value data of this entry to:
[Default] = "%System%\SHELL32.dll" - Close Registry Editor.
Step 5
Reset Internet security settings
[ Learn More ]
[ back ]
To reset Internet security settings:
- Close all Internet browser windows.
- Open Control Panel. To do this:
• On Windows 2000
Click Start>Settings>Control Panel
• On Windows XP, Server 2003, Vista, and 7
Click Start>Control Panel - Double-click Internet Options.
- In the Internet Properties window, click the Security tab.
- For each Web content zone, click on the Default Level button to set each zone to the default setting.
- Click OK.
Step 6
Search and delete these folders
[ Learn More ]
[ back ]
Please make sure you check the
Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
- %User Temp%\{random folder name}\{random folder name}
To delete malware/grayware/spyware folders:
- Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
- In the Named input box, type:
- %User Temp%\{random folder name}\{random folder name}
- In the Look In drop-down list, select My Computer, then press Enter.
- Once located, select the folder then press SHIFT+DELETE to permanently delete the folder.
- Repeat steps 2 to 4 for the remaining folders:
- %User Temp%\{random folder name}\{random folder name}
Step 7
Scan your computer with your Trend Micro product to delete files detected as BKDR64_AGENT.GTY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 8
Restore these modified registry values
[ Learn More ]
[ back ]
Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.
To restore registry values this malware/grayware modified:
- Open Registry Editor. To do this:
- On Windows 2000, XP, and Server 2003:
Click Start>Run, type REGEDIT in the text box provided, and then press Enter. - On Windows Vista and 7:
Click the Start button, type REGEDIT in the Search input field then press Enter.
RESTORE
Close Registry Editor. 
